Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign:

I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run:

This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to a RIG exploit kit landing page being hosted at the subdomain top.northwestfloridacannabis.org at 185.154.52.233:

As you can see from the TCP stream the GET request for flow335.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:

If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html

The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %Temp%:

The malware copies itself to %AppData% and creates some .log files:

It also creates a .log file in ProgramData (64 characters):

We also see it modify and set some values in the registry:

HKCU\Software\AppDataLow\[GUID]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It also writes to a start menu file:

I found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 requests caused the following ET rule to trigger: